AnsweredAssumed Answered

How to test for Secure Client-Initiated Renegotiation DOS Danger

Question asked by Jack son on Jan 5, 2014
Latest reply on Jan 13, 2014 by Ivan Ristić

Hi Ivan


If OpenSSL issues "Secure Renegotiation is Supported", and renegotiation R command can be submitted, this means the server supports "Secure Client-Initiated Renegotiation". 

At the same time, can I assume the server is also vulnerable to Denial of Service (ie. THC-SSL-DOS) ?



The reason why I am asking  is because of recent SSL Labs results.


Refer to the following examples.


Host A

Secure RenegotiationSupported
Secure Client-Initiated RenegotiationSupported   DoS DANGER (more info)


Host B

Secure RenegotiationSupported
Secure Client-Initiated RenegotiationNo


Host A and Host B responded to Renegotiation (R) command and I got "Secure Renegotiation is Supported" from openssl output.